By Intigriti
April 21, 2020
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 10 to 17 of April.
Attacking and Auditing Docker Containers and Kubernetes Clusters
After last week’s training on AWS and Azure, @appseccouk is now generously open sourcing another complete training course. This one is about hacking Docker containers and Kubernetes clusters. It includes documentation, Docker Lab virtual machines and an intentionally vulnerable Kubernetes cluster (Google Cloud).
JSON Web Token Validation Bypass in Auth0 Authentication API
This is a nice writeup on bypassing JWT validation. The app checks that the algorithm is not `none`, but relies on a blacklist. Using `alg: nonE` bypasses the case-sensitive filter, and allows for forging JWT tokens for any user. @zantedotnz also shares the tool he used and links to resources on JWT hacking.
– @hussein98d Talks About Bug Bounties, Recon Methodology, and Shows Some of the Tools He Uses!
– Attacking Secondary Contexts in Web Applications – Sam Curry
– Code that gets you pwn(s|’d) – Louis & Slides
– Using Interlace for organising tests, and multithreading over targets – @codingo
These are the videos/talks I plan on watching in priority this week. Why? Because I want to learn about @hussein98d’s recon process and bug hunting methodology, @snyff discussing less obvious vulnerabilities, how @codingo_ uses Interlace, and @samwcyo’s attacks on secondary contexts.
How to Remember Everything : Using Roam for Bug Bounty Notes
Choosing a note-taking app is such a never-ending rabbit hole! 🤦After settling on Joplin, then discovering Notion’s great UI and features, I’m now tempted to check out Roam. @bonjarber does a great job of explaining why Roam’s graph-based approach solves problems all apps based on a “hierarchical tree” have (including Notion).
– The Wondeful World of OAuth: Bug Bounty Edition
– The 5 Most Common GraphQL Security Vulnerabilities & vulnerable-graphql-api
– Bypassing modern XSS mitigations with code-reuse attacks
Depending on the bug classes you are focusing on, these tutorials might come in very handy. The OAuth one will give you ideas for new attacks to test for. The GraphQL article will give you an idea of common GraphQL bugs, and it is accompanied with an intentionally vulnerable API playground. The last tutorial is an excellent introduction to code-reuse attacks, and how to leverage them to bypass the latest XS mitigations like CSP, WAFs and HTML sanitizers.
Bounty Thursdays – H1 paid $2.4m to hackers in ONE week , VirSecCon aftermath & Burp Bounty update
Bug bounty’s 101: What you need to know before hacking (on Intigriti) & Picking a platform
OSINT 10 Minute Tips: Reverse Image Searching #1, Snapchat #1 & Data Scraping and Visualizing using Instant Data Scraper, ViewDNS.info, and Maltego
Webinar 1 Security AMA With Jayson Street (Who’s Your Hacker Con)
Bug bounties and burnout: Learn how to preserve your mental health
To Hunt or Not To Hunt; This is Never a !=? – Tyler Robinson – PSW #646
Application Security Weekly #103 – Zooming Alex Stamos & Building Security TestOps
Security Weekly News #25 – Zombieware, 5G Conspiracies, & C-Suite Targets
Risky Business #579 — Apple and Google go all in on contact tracing
Layer 8 Podcast – Episode 21: Adam Compton – The Ladder and the Big Gulp
Cybersecurity for Remote Workers: 3 Unexpected Ways Hackers Hit Households
Dirk-jan streaming ROADtools – Azure AD exploration & ROADtools
SANS webcasts:
Server-Side Template Injection (SSTI) in ASP.NET Razor-in-ASP.NET-Razor
Quick Burp tip: Using Burp without changing your OS proxy settings
LinkedIn OSINT Techniques (II) & LinkedIn OSINT Attack Surface
How We Hacked an Android Game And Ranked First globally #Android
TikTok Vulnerability Enables Hackers to Show Users Fake Videos #Web
Issue 2021: git: Newline injection in credential helper protocol #Web
Advanced Javascript injections : Amazon XSS to full account takeover #Web
Netflix Party — XSS Vulnerabilities (Netflix)
Denial of service to WP-JSON API by cache poisoning the CORS allow origin header (Automattic, $550)
Code injection in macOS Desktop Client (Nextcloud, $250)
ffufplus & Introduction: ffuf on Steroids
SQLTruncScanner: Burp Suite extension for identifying possible SQL Truncation vulnerabilities & SQL truncation lab
qsinject (Query String Inject): A tool that allows you to quickly substitute query string values with regex matches, one-at-a-time
burp-exporter: A Burp Suite extension to copy a request to the clipboard as multiple programming languages functions
ParamSpider: Mining parameters from dark corners of Web Archives
Default HTTP Login Hunter & Introduction: Login hunter of default credentials for administrative web interfaces leveraging NNdefaccts dataset
haktldextract: Extract domains/subdomains from URLs en masse
wpvulns.com: All WordPress version vulnerabilities for free without any limitations
ExGen: A simple python script to create exploit templates for XSSI, JSONP Hijacking, Clickjacking and CORS vulnerabilities
FinDOM-XSS: DOM XSS scanner in Bash
MagicRecon: Bash wrapper around many recon tools
QuickSQL: A simple MSSQL query tool that allows you to connect to MSSQL databases and does not require administrative level rights to use
Lollipopz: Data exfiltration utility for testing detection capabilities
Pet: Simple command-line snippet manager, written in Go
SweetPotato & Introduction: Local Service to SYSTEM privilege escalation from Windows 7 to Windows 10 / Server 2019
PowerSharpPack: Many offensive C# binaries now usable from within powershell
pwndrop & Pwndrop – Self-hosting Your Red Team Payloads: Self-deployable file hosting service for red teamers, allowing to easily upload and share payloads over HTTP and WebDAV
The Path for Testing Path Traversal Vulnerabilities with Python
Prepare to Write A Scanner Plugin Before Your Next Platform Test!
Targeting a macOS Application? Update Your Path Traversal Lists
New Stealth Magecart Attack Bypasses Payment Services Using Iframes
The scraping API has been discontinued due to active abuse by third parties for commercial purposes…
Rapid7 launches AttackerKB, a service for crowdsourcing vulnerability assessments
jQuery 3.5.0 Released! but they are evaluating options and developing a model for independent security researchers
Participate in independent survey to understand bug hunters motivations and challenges
Ethereum 2.0 bug bounty program gathers pace ahead of major blockchain platform update
How much is the phish? Underground market of phishing kits is booming — Group-IB
[SURVEY] 79% of Americans Share Passwords, But Only 13% Are Worried About Identity Theft
Microsoft April 2020 Patch Tuesday fixes 3 zero-days, 15 critical flaws
Kernel vulnerabilities in Android devices using Qualcomm chips explored
Academics steal data from air-gapped systems using PC fan vibrations
That critical VMware vuln allowed anyone on your network to create new admin users, no creds needed
TikTok users beware: Hackers could swap your videos with their own
Coronavirus: Cisco wanted to delay patch for critical flaw in phone used by doctors
Wappalyzer discloses security breach after hacker starts emailing users
SentinelOne researcher trolled in new MBRLocker ransomware campaign
49 malicious Chrome extensions caught pickpocketing crypto wallets
Magecart gang bypasses iframe protection on hosted payment site
Microsoft opens AccountGuard to healthcare providers on the COVID-19 front lines
Coronavirus contact tracing apps are worse than useless – Schneier
Coronavirus scams: This is how much people have lost to online fraudsters so far
Hackers Are Selling a Critical Zoom Zero-Day Exploit for $500,000
Everything is Insecure: What Matters is What You’re Getting vs. Giving Up
US offers $5 million reward for information on North Korean hackers
New tool detects AWS intrusions where hackers abuse self-replicating tokens
Windows Defender crashes: Microsoft fixes bug causing full scans to fail
Meet the team: Tom Hudson – Collaboration is the way forward
Interview: Metasploit founder HD Moore on bug bounties, computer security laws, and coronavirus
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 04/10/2020 to 04/17/2020.
Curated by Pentester Land & Sponsored by Intigriti